Reverse engineering and analysis for the bbystealer malware.
- The use of filesystem auditing for dynamic analysis is documented in filesystem-audit.
- The process of deobfuscating bbystealer is documented in deobfuscation.
Recently a strain of malware known as bbystealer has been infecting Discord users.
Victims are convinced to download and run a malicious executable through Discord messages. Often, the attacker poses as a friend using a compromised Discord account.
Here is an example of an exchange between the attacker and a potential victim:
Attacker: hey
can you help me?
Victim: yeah what up
Attacker: I made my own game, called Owo Paradise. can you help to test and give me review?
Victim: yeah sure
Attacker: <FILE: OwOGame.exe>
here
Anecdotally, the attacker has an unusually high rate of success compared to similar Discord malware campaigns. This is largely due to the fact that conversations are handled by the attacker manually, unlike more typicall approaches where the process is automated.
Running the executable causes a command prompt to open and display the line:
Starting game...
Then the prompt closes.
Any active Discord sessions are abruptly terminated.
When tested using the standard Discord.exe, Discord is not restarted. However, code exists in the loader for restarting Discord. It may be that other setups or versions of Discord will see the client successfully restarted after being terminated.
There seem to be no other obvious actions of the malware.
The malware works in 2 stages: the loader (injector) and the payload (injection).
- steals cookies and passwords
- steals Discord tokens
- downloads payload and injects it into Discord clients
The loader causes a command prompt to appear briefly, displaying Starting game..., before hiding itself.
To hide the command prompt, it writes a temporary PowerShell script and executes it.
The loader decrypts sensitive data stored in Chromium based browsers, including cookies and passwords.
- is active whenever an infected Discord client is running
- intercepts email addresses, passwords, credit card information, and 2FA tokens
The payload is a JavaScript file that replaces one used by Discord installations. Its purpose is to intercept sensitive data sent through Discord. The malicious code will persist until the user has restored the original file, for example by removing and reinstalling Discord.
These are recommended steps for those affected by bbystealer.
Note that these steps are based on the versions of bbystealer I analysed. Capabilities differ between versions of this malware and these steps may not be sufficient for different versions.
Furthermore, victims should be aware that part of the malicious code is downloaded by an attacker-controleld endpoint. It is impossible to guarantee that the code found in this analysis will be the same as any given incident, as the attacker may change this at any time. From multiple samples shared by other researchers, the payload seems to be roughly the same in all instances so far, so the steps described in this section may be sufficient to secure the affected system. However, one cannot be absolutely certain that all traces of malicious code have been removed without reformatting and reinstalling the system, or by restoring the system from a secure backup.
If the victim loses control of their Discord account, it is important that they notify as many Discord contacts as possibly. The malware spreads primarily due to trust between contacts and the fact that victims are not aware the person they are corresponding with has been infected.
Discord Installations:
- Discord
- Discord Canary
- DIscord Development
- Discord PTB
- Lightcord
- BetterDiscord
Browsers:
- Google Chrome
- Microsoft Edge
- Brave
- Opera
- Yandex
Cryptocurrency Wallets:
- MetaMask
- Exodus
Discord tokens from affected Discord installations are compromised. The victim should immediately log out of all Discord clients to invalidate any stolen tokens.
The victim should not attempt to change their Discord password from within the Discord client before completely removing and reinstalling Discord. Malicious code is injected into Discord and is designed to intercept passwords from within the client.
In the event that the victim loses access to their Discord account, they can contact Discord support to recover their account. There is a significant number of users reporting that they were able to successfuly recover their account through Discord support, usually within a few days.
All saved passwords and cookies stored in the affected browsers should be considered compromised. Passwords must be changed. Any accounts currently logged into an affected browser should be logged out to invalidate session cookies.
Private keys for affected cryptocurrency wallets may be compromised. Any cryptocurrency secured by these private keys should be immediately transfered to an unaffected wallet.
Malicious code is injected in some Discord installations and will remain active. A file used by these Discord installations is replaced by malicious code. To remove of malicious code and restore normal functionality to Discord, affected installations should be completely removed and reinstalled.
The nexe executable downloads and saves its npm package dependencies to %homedrive%%homepath%.nexe_natives\.
This is unlikely to pose a security risk, but may be an undesired use of disk space for the victim.
I must reiterate that the behaviour of the malware is subject to change. The only way to be absolutely certain that no malicious code remains is to reformat and reinstall the system or restore the system from a secure backup.
bbystealer is a malicious executable, typically spread through Discord messages using infected accounts.
The malware immediately steals tokens from Discord clients, including official and non-official installations. The malware also steals cookies and passwords from many Chromium-based browsers. Some versions of the malware include additional features, such as stealing cryptocurrency wallet credentials.
The malware downloads a malicious payload from an attacker-controlled endpoint. Malicious code is injected into official and non-official Discord clients. The injected code allows Discord to appear to behave as normal, but will intercept sensitive information such as passwords and credit card information.
Upon a possible infection, steps should immediately be taken to secure cookies, passwords, tokens, and cryptocurrency wallets on the affected system. Additionally, Discord contacts of the victim should be warned of the malware.
Other users have analysed this strain of malware before me. Notably, kem0x/Discord-Trojan-Research was helpful when beginning this analysis. It describes how the malicious code is packaged using nexe, and how the code acts in 2 stages, with a loader and remote payload.
I'd also like to thank ButterscotchV for sharing their research with me and providing additional samples of bbystealer derivatives for analysis.
Lastly, bbystealer is based on the Stanley-GF/PirateStealer project on Github. While I condemn the practice of sharing malware as was the case with PirateStealer, I must acknowledge that the availability of this source code was useful for reverse engineering the malicious executable.